{"id":78678,"date":"2026-05-30T23:21:03","date_gmt":"2026-05-30T23:21:03","guid":{"rendered":"http:\/\/bangla.sitestree.com\/?p=78678"},"modified":"2026-05-30T23:21:04","modified_gmt":"2026-05-30T23:21:04","slug":"linux-acl-vs-selinux","status":"publish","type":"post","link":"http:\/\/bangla.sitestree.com\/?p=78678","title":{"rendered":"Linux: ACL vs Selinux"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">ACL vs SELinux<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>ACL<\/strong> and <strong>SELinux<\/strong> both control access, but they work at different levels.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>ACL<\/th><th>SELinux<\/th><\/tr><\/thead><tbody><tr><td>Full name<\/td><td>Access Control List<\/td><td>Security-Enhanced Linux<\/td><\/tr><tr><td>Main purpose<\/td><td>Give extra file permissions to specific users\/groups<\/td><td>Enforce system-wide security policy<\/td><\/tr><tr><td>Access model<\/td><td>DAC: Discretionary Access Control<\/td><td>MAC: Mandatory Access Control<\/td><\/tr><tr><td>Controlled by<\/td><td>File owner\/root<\/td><td>SELinux policy\/root<\/td><\/tr><tr><td>Works on<\/td><td>Files\/directories<\/td><td>Files, processes, ports, services, users<\/td><\/tr><tr><td>Common commands<\/td><td><code>getfacl<\/code>, <code>setfacl<\/code><\/td><td><code>getenforce<\/code>, <code>ls -Z<\/code>, <code>semanage<\/code>, <code>restorecon<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Simple explanation<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">ACL<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ACL is like saying:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cThis specific user or group can access this file\/directory.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>setfacl -m u:john:rwx projectdir\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This gives user <code>john<\/code> read, write, and execute permission on <code>projectdir<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Check ACL:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>getfacl projectdir\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">ACL extends normal Linux permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>owner \/ group \/ others\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">So ACL is mainly about <strong>who can access a file or directory<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">SELinux<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">SELinux is like saying:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cEven if Linux permissions allow this, the system security policy must also allow it.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -Z \/var\/www\/html\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You may see SELinux context labels such as:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>system_u:object_r:httpd_sys_content_t:s0\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This label tells SELinux what type of object it is.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, Apache may be allowed to read files labeled:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>httpd_sys_content_t\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">But Apache may be blocked from reading a file with the wrong SELinux label, even if file permissions are <code>777<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Important rule<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For access to work, <strong>both must allow it<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Linux permissions \/ ACL must allow it\nAND\nSELinux policy must allow it\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If either one denies access, the access fails.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ACL allows user john\nSELinux denies the action\nResult: Access denied\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Another example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELinux allows Apache\nFile permission denies Apache\nResult: Access denied\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Example situation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Suppose Apache cannot read a web page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You check normal permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -l \/var\/www\/html\/index.html\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-rw-r--r-- 1 root root index.html\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Looks okay.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then check SELinux label:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -Z \/var\/www\/html\/index.html\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If the label is wrong, Apache may still be denied.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fix SELinux context:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo restorecon -v \/var\/www\/html\/index.html\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or for the whole directory:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo restorecon -Rv \/var\/www\/html\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Commands summary<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">ACL commands<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>getfacl file.txt\nsetfacl -m u:john:r file.txt\nsetfacl -x u:john file.txt\nsetfacl -b file.txt\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">SELinux commands<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>getenforce\nsestatus\nls -Z file.txt\nrestorecon -v file.txt\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Slide-friendly summary<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>ACL = extra file permissions for specific users\/groups.\nSELinux = mandatory security policy using labels and rules.\n\nACL answers: \u201cWhich user\/group can access this file?\u201d\nSELinux answers: \u201cIs this process allowed to access this object in this way?\u201d\n\nAccess works only when both Linux permissions\/ACL and SELinux policy allow it.<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">REF: AI Tools\/ChatGPT<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ACL vs SELinux ACL and SELinux both control access, but they work at different levels. Feature ACL SELinux Full name Access Control List Security-Enhanced Linux Main purpose Give extra file permissions to specific users\/groups Enforce system-wide security policy Access model DAC: Discretionary Access Control MAC: Mandatory Access Control Controlled by File owner\/root SELinux policy\/root Works &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"http:\/\/bangla.sitestree.com\/?p=78678\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1976],"tags":[],"class_list":["post-78678","post","type-post","status-publish","format-standard","hentry","category-anything-linux","item-wrap"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":76576,"url":"http:\/\/bangla.sitestree.com\/?p=76576","url_meta":{"origin":78678,"position":0},"title":"How to Disable SELinux","author":"Sayed","date":"January 12, 2025","format":false,"excerpt":"Ref: https:\/\/www.ibm.com\/docs\/en\/tnpm\/1.4.5?topic=tasks-disable-selinux-linux-only Sample File:","rel":"","context":"In &quot;Root&quot;","block_context":{"text":"Root","link":"http:\/\/bangla.sitestree.com\/?cat=1"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/bangla.sitestree.com\/wp-content\/uploads\/2025\/01\/image-9.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":76574,"url":"http:\/\/bangla.sitestree.com\/?p=76574","url_meta":{"origin":78678,"position":1},"title":"selinux: getsebool -a sample output","author":"Sayed","date":"January 12, 2025","format":false,"excerpt":"getsebool -a | head abrt_anon_write --> offabrt_handle_event --> offabrt_upload_watch_anon_write --> onantivirus_can_scan_system --> offantivirus_use_jit --> offauditadm_exec_content --> onauthlogin_nsswitch_use_ldap --> offauthlogin_radius --> offauthlogin_yubikey --> offawstats_purge_apache_log_files --> off","rel":"","context":"In &quot;Root&quot;","block_context":{"text":"Root","link":"http:\/\/bangla.sitestree.com\/?cat=1"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20401,"url":"http:\/\/bangla.sitestree.com\/?p=20401","url_meta":{"origin":78678,"position":2},"title":"Learn some Centos\/Redhat Linux: RHCE: MariaDB Administration on Redhat\/Fedora\/CentOS","author":"Author-Check- Article-or-Video","date":"February 20, 2021","format":false,"excerpt":"RHCE: MariaDB Administration on Redhat\/Fedora\/CentOS Check if mariaDB is installed or not 130 yum list installed | grep ^mariadb mariaDB originated from MySQL - after MySQL Got Bought by Oracle 133 yum list installed | grep ^mariadb I see - installed though not completely Output: mariadb-libs.x86_64 1:5.5.52-1.el7 @anaconda There are\u2026","rel":"","context":"In &quot;FromSitesTree.com&quot;","block_context":{"text":"FromSitesTree.com","link":"http:\/\/bangla.sitestree.com\/?cat=1917"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20403,"url":"http:\/\/bangla.sitestree.com\/?p=20403","url_meta":{"origin":78678,"position":3},"title":"Learn some Centos\/Redhat Linux: RHCE: MariaDB Administration on Redhat\/Fedora\/CentOS","author":"Author-Check- Article-or-Video","date":"February 20, 2021","format":false,"excerpt":"The author is: the_authornRHCE: MariaDB Administration on Redhat\/Fedora\/CentOS Check if mariaDB is installed or not 130 yum list installed | grep ^mariadb mariaDB originated from MySQL - after MySQL Got Bought by Oracle 133 yum list installed | grep ^mariadb I see - installed though not completely Output: mariadb-libs.x86_64 1:5.5.52-1.el7\u2026","rel":"","context":"In &quot;FromSitesTree.com&quot;","block_context":{"text":"FromSitesTree.com","link":"http:\/\/bangla.sitestree.com\/?cat=1917"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20405,"url":"http:\/\/bangla.sitestree.com\/?p=20405","url_meta":{"origin":78678,"position":4},"title":"Learn some Centos\/Redhat Linux: RHCE: MariaDB Administration on Redhat\/Fedora\/CentOS","author":"Author-Check- Article-or-Video","date":"February 20, 2021","format":false,"excerpt":"The author is: the_authornRHCE: MariaDB Administration on Redhat\/Fedora\/CentOS Check if mariaDB is installed or not 130 yum list installed | grep ^mariadb mariaDB originated from MySQL - after MySQL Got Bought by Oracle 133 yum list installed | grep ^mariadb I see - installed though not completely Output: mariadb-libs.x86_64 1:5.5.52-1.el7\u2026","rel":"","context":"In &quot;FromSitesTree.com&quot;","block_context":{"text":"FromSitesTree.com","link":"http:\/\/bangla.sitestree.com\/?cat=1917"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20409,"url":"http:\/\/bangla.sitestree.com\/?p=20409","url_meta":{"origin":78678,"position":5},"title":"Learn some Centos\/Redhat Linux: RHCE: MariaDB Administration on Redhat\/Fedora\/CentOS","author":"Author-Check- Article-or-Video","date":"February 20, 2021","format":false,"excerpt":"The author is: the_authornRHCE: MariaDB Administration on Redhat\/Fedora\/CentOS Check if mariaDB is installed or not 130 yum list installed | grep ^mariadb mariaDB originated from MySQL - after MySQL Got Bought by Oracle 133 yum list installed | grep ^mariadb I see - installed though not completely Output: mariadb-libs.x86_64 1:5.5.52-1.el7\u2026","rel":"","context":"In &quot;FromSitesTree.com&quot;","block_context":{"text":"FromSitesTree.com","link":"http:\/\/bangla.sitestree.com\/?cat=1917"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/posts\/78678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=78678"}],"version-history":[{"count":1,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/posts\/78678\/revisions"}],"predecessor-version":[{"id":78679,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=\/wp\/v2\/posts\/78678\/revisions\/78679"}],"wp:attachment":[{"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=78678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=78678"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bangla.sitestree.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=78678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}